1

I've found that I can edit zone file like this

 $ORIGIN us.example.com.
 @           IN    DNAME another.example.com.

But what if I do not know all subdomains in advance, is it possible to do something like that:

 $ORIGIN *.example.com.
 @           IN    DNAME another.example.com.

Basically I would like to redirect from every subdomain to single point.

Is it possible/correct? I've found that RFC 6672 advises against wildcard usage. Why so? And is it about my case above?

Edit: If above is not correct, can I do this:

*.example.com. IN DNAME example.com.
example.com. A 192.168.1.1

or this

*.example.com. A 192.168.1.1
Artie
  • 53
  • 1
  • 4

2 Answers2

2

This will simply not work, as the $ORIGIN must contain a valid zone name. A wildcard is not a valid zone name.

At best, you can hope to script the creation of all of the zones you require in your BIND configuration, and point them all at the same generic zone file.

Vasili Syrakis
  • 4,435
  • 3
  • 21
  • 29
  • edited my question, can you please check it one more time – Artie Apr 07 '15 at 16:30
  • In regard to your second question, you "can" but that doesn't mean you should in every case. I don't see it as an issue with A records, but with DNAMEs you might run into some issues. – Vasili Syrakis Apr 07 '15 at 23:32
1

Putting aside the $ORIGIN issue (which Vasili is 100% correct on), the RFC that defines the DNAME record type (RFC6672) actively discourages it.

3.3. Wildcards

The use of DNAME in conjunction with wildcards is discouraged [RFC4592]. Thus, records of the form "*.example.com DNAME example.net" SHOULD NOT be used.

The interaction between the expansion of the wildcard and the redirection of the DNAME is non-deterministic. Due to the fact that the processing is non-deterministic, DNSSEC validating resolvers may not be able to validate a wildcarded DNAME.

A server MAY give a warning that the behavior is unspecified if such a wildcarded DNAME is loaded. The server MAY refuse it, refuse to load the zone, or refuse dynamic updates.

While the language "SHOULD NOT" and "MAY" does not forbid you from attempting to do this, you really shouldn't. Following that RFC4592 reference, we come across this:

4.4. DNAME RRSet at a Wildcard Domain Name

Ownership of a DNAME [RFC2672] RRSet by a wildcard domain name represents a threat to the coherency of the DNS and is to be avoided or outright rejected. Such a DNAME RRSet represents non- deterministic synthesis of rules fed to different caches. As caches are fed the different rules (in an unpredictable manner) the caches will cease to be coherent. ("As caches are fed" refers to the storage in a cache of records obtained in responses by recursive or iterative servers.)

Not only do these standard defining RFCs provide technical reasons for why this is a bad idea, it actively encourages DNS software to not support the feature while not explicitly forbidding it. These reasons are more than enough to make me think twice about ever trying to implement it.

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128